diff -Nur qpsmtpd-0.84/lib/Qpsmtpd/SMTP.pm qpsmtpd-0.84_bz8863/lib/Qpsmtpd/SMTP.pm --- qpsmtpd-0.84/lib/Qpsmtpd/SMTP.pm 2015-05-15 15:38:15.796000000 +0200 +++ qpsmtpd-0.84_bz8863/lib/Qpsmtpd/SMTP.pm 2015-05-15 15:39:30.602000000 +0200 @@ -240,7 +240,11 @@ } # Check if we should only offer AUTH after TLS is completed - my $tls_before_auth = ($self->config('tls_before_auth') ? ($self->config('tls_before_auth'))[0] && $self->transaction->notes('tls_enabled') : 0); + my $tls_before_auth = ($self->config('tls_before_auth') ? + ( + ($self->config('tls_before_auth'))[0] && + ($self->transaction->notes('tls_enabled') || $self->connection->notes('tls_force_disabled')) + ) : 0); if ( %auth_mechanisms && !$tls_before_auth) { push @capabilities, 'AUTH '.join(" ",keys(%auth_mechanisms)); $self->{_commands}->{'auth'} = ""; diff -Nur qpsmtpd-0.84/plugins/tls qpsmtpd-0.84_bz8863/plugins/tls --- qpsmtpd-0.84/plugins/tls 2015-05-15 15:38:15.791000000 +0200 +++ qpsmtpd-0.84_bz8863/plugins/tls 2015-05-15 15:55:06.719000000 +0200 @@ -107,9 +107,15 @@ } sub hook_ehlo { - my ($self, $transaction) = @_; + my ($self, $transaction, $host) = @_; return DECLINED unless $self->can_do_tls; return DECLINED if $self->connection->notes('tls_enabled'); + return DECLINED unless $host; + if ($self->_is_in_notls($host)) { + $self->log(LOGINFO, "Disabling TLS as host matches one of the notls config file"); + $self->connection->notes('tls_force_disabled', 1); + return DECLINED; + } return DENY, "Command refused due to lack of security" if $transaction->notes('ssl_failed'); my $cap = $transaction->notes('capabilities'); $cap ||= []; @@ -165,6 +171,22 @@ return DECLINED; } +sub _is_in_notls { + my ($self, $host) = @_; + + $host = lc $host; + foreach my $line ($self->qp->config('notls')) { + # If line is a regex + if ($line =~ /[\{\}\[\]\(\)\^\$\|\*\+\?\\\!]/ && $host =~ /$line/) { + return 1; + } + if ($host eq lc $line) { + return 1; + } + } + return; +} + sub _convert_to_ssl { my ($self) = @_;